Set decoder event when re-assembled fragments would exceed max IP packet size.

14 years ago · 6da9c64a28
parent 96c2f2c877
commit 6da9c64a28
4 changed files with 9 additions and 2 deletions
--- a/rules/decoder-events.rules
+++ b/rules/decoder-events.rules
@ -69,5 +69,6 @@ alert pkthdr any any -> any any (msg:"SURICATA GRE v1 header too big"; decode-ev
 alert pkthdr any any -> any any (msg:"SURICATA VLAN header too small "; decode-event:vlan.header_too_small; sid:22000065; rev:1;) 
 alert pkthdr any any -> any any (msg:"SURICATA VLAN unknown type"; decode-event:vlan.unknown_type; sid:22000066; rev:1;)
 alert pkthdr any any -> any any (msg:"SURICATA IP raw invalid IP version "; decode-event:ipraw.invalid_ip_version; sid:22000067; rev:1;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG Packet size too large"; decode-event:frag.too_large; sid:22000067; rev:1;)


--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -180,6 +180,9 @@ enum {
    /* SCTP EVENTS */
    SCTP_PKT_TOO_SMALL,              /**< sctp packet smaller than minimum size */

+    /* Fragmentation reasembly events. */
+    FRAG_PKT_TOO_LARGE,
+
    /* should always be last! */
    DECODE_EVENT_MAX,
 };
--- a/src/defrag.c
+++ b/src/defrag.c
@ -780,7 +780,7 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
        /* Ignore fragment if the end of packet extends past the
         * maximum size of a packet. */
        if (IPV4_HEADER_LEN + frag_offset + data_len > IPV4_MAXPACKET_LEN) {
-            /** \todo Perhaps log something? */
+            DECODER_SET_EVENT(p, FRAG_PKT_TOO_LARGE);
            return NULL;;
        }
    }
@ -798,7 +798,7 @@ DefragInsertFrag(ThreadVars *tv, DecodeThreadVars *dtv, DefragContext *dc,
        /* Ignore fragment if the end of packet extends past the
         * maximum size of a packet. */
        if (frag_offset + data_len > IPV6_MAXPACKET) {
-            /** \todo Perhaps log something? */
+            DECODER_SET_EVENT(p, FRAG_PKT_TOO_LARGE);
            return NULL;
        }
    }
@ -2546,6 +2546,8 @@ DefragIPv4TooLargeTest(void)
    /* We do not expect a packet returned. */
    if (Defrag(NULL, NULL, dc, p) != NULL)
        goto end;
+    if (!DECODER_ISSET_EVENT(p, FRAG_PKT_TOO_LARGE))
+        goto end;

    /* The fragment should have been ignored so no fragments should have
     * been allocated from the pool. */
--- a/src/detect-decode-event.h
+++ b/src/detect-decode-event.h
@ -110,6 +110,7 @@ struct DetectDecodeEvents_ {
    { "ipraw.invalid_ip_version",IPRAW_INVALID_IPV, },
    { "vlan.header_too_small",VLAN_HEADER_TOO_SMALL, },
    { "vlan.unknown_type",VLAN_UNKNOWN_TYPE, },
+    { "frag.too_large", FRAG_PKT_TOO_LARGE, },
    { NULL, 0 },
 };
 #endif /* DETECT_EVENTS */